Managing Client Protection : User Account Control (part 2) - UAC User Interface, How Windows Vista Determines Whether an Application Needs Administrative Privileges

3. UAC User Interface

Windows Vista uses a shield icon to indicate which features of an application require elevated rights. For example, standard users can run Task Manager (as shown in Figure 3), but they will need administrative credentials if they click the Resource Monitor button. The shield icon serves to warn users before they attempt to access a feature they might not have sufficient privileges for.

By default, the consent or credential prompt appears on the secure desktop. The secure desktop freezes and darkens the entire desktop except for the UAC prompt, making it very difficult for malware to trick you into providing consent.

UAC prompts are color-coded to indicate the level of risk associated with the application:

• If the top portion of the dialog is red, policy will prevent the application from running and users do not have the option of allowing it to run.

• If the top portion is yellow, as shown in Figure 4, the application is unsigned, or it’s signed but the certificate is not trusted.

  Figure 4. UAC prompts are color-coded.

  

• If the top portion is green, it indicates that the application is a component of Windows Vista, such as the Microsoft Management Console (MMC), as shown earlier in Figure 2.

• If the top portion is gray, the application is signed and trusted by the local computer.

When training users, point out the color coding. Tell them to pay particular attention to yellow prompts, which indicate an increased risk of the application being malicious.

4. How Windows Vista Determines Whether an Application Needs Administrative Privileges

Windows Vista examines several aspects of an executable to determine whether it should display a UAC prompt before running the application:

• Application properties Users can select the Run As Administrator check box for executable files.

• Application manifest A description of the application provided by the application developer which can require Windows Vista to run the program as an administrator.

• Application heuristics Aspects of the application that might indicate it requires administrative privileges, such as being named “Setup.exe”.

The sections that follow describe each of these aspects and show you how to configure applications so that they always require elevated privileges (which is important if an application does not work properly without elevated privileges but UAC does not automatically prompt the user).

How to Control UAC Using Application Properties

If the application does not automatically run with administrative credentials, you can right-click the application and then click Run As Administrator. If you deploy an application to users, however, you should configure the application to automatically prompt the user if it does not. To mark an application to always run with administrative credentials, follow these steps:

You only need to mark applications that require administrative credentials but do not cause UAC to automatically prompt the user. You cannot set privilege level for Windows components, such as the command prompt. Instead, you should always right-click them and click Run This Program As An Administrator.

How UAC Examines the Application Manifest

For applications to receive a Certified For Windows Vista logo, they must include an embedded requested execution level manifest that specifies the privileges required. The privilege level is one of the following:

• asInvoker or RunAsInvoker The application runs using the standard user privileges, and will not initiate a UAC prompt.

• highestAvailable or RunAsHighest The application requests privileges higher than standard users and generates a UAC prompt. However, if the user does not provide additional credentials, the application will run anyway, using standard privileges. This is useful for applications that can adjust to either higher or lower privilege levels, or for applications that might need more privileges than a standard user, but fewer than a full administrator. For example, backup applications typically need the user to be a member of the Backup Operators group, but do not require the user to be a member of the Administrators group.

• requireAdministrator or RunAsAdmin The application requires administrative privileges, generating a UAC prompt. The application will not run with standard privileges.

Note

To add a manifest to existing applications, use the Application Compatibility Toolkit, which you can download at http://go.microsoft.com/fwlink/?LinkId=23302. To diagnose issues that would prevent a program from running properly as a standard user, use the Microsoft Standard User Analyzer tool, available at http://www.microsoft.com/downloads/details.aspx?FamilyId=DF59B474-C0B7-4422-8C70-B0D9D3D2F575.

UAC Heuristics

If you run an application setup file, UAC will prompt you for administrative credentials. This makes sense, because most installation routines require elevated privileges. However, installers created before Windows Vista do not include a manifest, so Windows Vista has to heuristically detect which executables are setup files.

To do this, Windows Vista examines 32-bit executables without a requested execution level manifest that would be run with standard privileges. If the executable meets those requirements and has a file name or metadata that includes keywords such as install, setup, or update (or several other indicators that it might be an installer), UAC prompts for elevated privileges before running the file. If UAC does not prompt you for administrator credentials for an install, right-click the setup file and then click Run As Administrator. Without administrative privileges, most installations will fail.